Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Cyber-criminals likely based in Russia and the Ukraine have compromised computers at thousands of companies with a malware program known as Mevade, hijacking search traffic and conducting click fraud to turn the compromised systems into cash, security firm Websense stated in an analysis posted online on Oct. 23.

The attack has hit companies in the United States, the United Kingdom, Canada and India, among others, and has targeted the business services, manufacturing and transportation industries, as well as government agencies. The list of targeted industries is interesting because—while the Mevade malware is focused on generating cash for the operators of the botnet—it could easily be turned into a data-stealing espionage network, Alex Watson, director of research for Websense Labs, told eWEEK.

"If you look at malware and its capabilities, this group is really going after whatever money they can get," Watson said. "But if you look at the targets, it's definitely concerning. It would only take a change in business model to sell access to a number of critical industries."

Mevade is not a new malware program. First detected by Microsoft on July 2, 2013, the program is likely a variant of malware called Sefnit, used by a cyber-criminal group since 2011. In late July, the number of computers infected by the program, and the industries infiltrated by the botnet, rose quickly, peaking in late August and early September, according to data from Websense. Since late September, the pace of compromise has gradually slowed, suggesting that the campaign has ended, Watson said.

Further reading

The lull is not unusual for criminal activity, he said. In many cases, cyber-criminal groups will stop using a particular binary executable when antivirus firms broadly detect the program and its variants. Infections will slow or stop while the cyber-criminal groups work on creating a version of the program that antivirus software fails to detect, he said.

The program conducts click fraud, falsifying users' clicks on Website advertisements to generate fraudulent affiliate fees for the criminal group behind the program.

Mevade gained notoriety in early September when it was connected to a massive spike in user traffic on the Tor anonymizing network. The number of simultaneous user connections jumped at least sixfold to 3 million, from 5o0,000, because a botnet began routing traffic through the network to anonymize the origin and destination of the communications. Security experts connected Mevade to the spike in traffic and estimated that between 1.5 million and 5 million computers were responsible for the traffic.

"Using an anonymizing service like Tor, it is nearly impossible to attribute the infected machines back to the servers they came from," Websense's Watson said.

Other industries infected by the Mevade malware include health care, mining, agriculture, communications, education and retail/trade industries, according to Websense. The extensive infrastructure likely means that the attackers are well-financed, the company stated in its analysis.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.